Android notifications play a key role in our everyday smartphone use, keeping us updated on messages, calls, events, news, and social media with ease. However, these same notifications could also expose you to potential risks.
While the notifications aren’t harmful by themselves, a security researcher has recently demonstrated a clever method that attackers can use to disguise malicious links as ordinary notifications, potentially tricking users into clicking them.
Computer engineer Gabriele Digregorio has revealed that Android’s notification system can be exploited by attackers using the interactive “Open link” prompt. This feature can be manipulated to show a link that appears safe, while actually redirecting users to a completely different—and potentially harmful—website. The core issue lies in how Android notifications process certain Unicode characters. According to Digregorio, these characters can cause mismatches between the visible link shown in the notification and the actual link used by the system’s “Open link” suggestion.
In such cases, attackers can insert hidden Unicode characters into a URL. Because the Android notification system fails to properly handle these characters, the link preview may look legitimate, even though it’s misleading. The system ends up breaking the URL into segments, only recognizing part of it as the destination for the “Open link” button—allowing users to be silently redirected without realizing it.
This vulnerability remains open to exploitation.
Digregorio demonstrated this vulnerability using an example involving an Amazon link. By inserting a Unicode character between “ama” and “zon,” the notification appeared to display a legitimate “amazon.com” link, while the actual “Open link” button redirected to the unrelated and potentially malicious “zon.com.”
In another instance, he embedded a functional “wa.me” link—used to initiate WhatsApp actions—within a link to a Wired article, effectively disguising the true action of the link. The researcher tested the vulnerability on various apps, including WhatsApp, Telegram, Instagram, Discord, and Slack. However, he emphasized that the flaw lies in Android’s notification system—not in the individual apps.
Tests were conducted on multiple devices: a Google Pixel 9 Pro XL, Pixel 9 Pro, Samsung Galaxy S25, and Galaxy S21 Ultra, running Android 16, 15, 15, and 14 respectively. Google was notified about the issue in March via the Google Bug Hunter program and classified it as a “moderate severity” vulnerability. As a result, it won’t receive an immediate fix but will instead be addressed in a future security update.